[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: new second mandatory IPsec cipher - updated choice list
On Wed, 14 Jul 1999 tytso@MIT.EDU wrote:
> Two issues with the AES candidates is that first of all, while the
> eventual AES candidate will be free of licensing issues, this is not a
> NIST requirement of the AES candidates before one of them is chosen.
> Secondly, most of the AES candidates are "young";
True. Nevertheless, my gut feeling about (e.g.) Rijndael is better than
about CAST-128 (note that Rijndael is also one of the leading AES
candidates, while the successor of CAST-128, CAST-256, is most probably
not going to make it to the second round of candidates). Why?
* Rijndael is based on the design of Shark, and Square. Square has been
known for 2.5 years and _no weaknesses_ in it have been found.
* The theory behind Rijndael (or Square) seems to guarantee
that completely new type of attacks should be invented to break them.
* Rijndael is (most probably) much more secure than unbroken Square
due to the added rounds.
Moreover, Rijndael is the fastest AES candidate `in average' (cf
http://home.cyber.ee/helger/aes/) and free of patents. Thus, I'd advocate
strongly for including Rijndael at least to RFC 2451.
But, I would personally oppose to any additional MUST algorithms atm (IDEA
would be the only exception if there were no patents).
David Wagner (or anyone else who scrutinizes block ciphers) could
comment...
Helger
http://home.cyber.ee/helger
Follow-Ups:
References: